The botnet is named after a Ukrainian startup that poses as a legitimate online SEO service, and it currently numbers around 290,000 malware infected machines that continually spam millions of websites in a large-scale, referrer spam campaign.
The goal of referrer spam is to create backlinks to a specific URL by abusing publicly-available access logs.
Semalt - and other offenders that engage in this kind of practice - use script bots that ignore the robots exclusion standard (the site's robots.txt file that gives instructions to web crawlers) and spam the server with requests.
"The process is fairly straightforward. The bots access hundreds of thousands of websites in bulk, sending out requests with a synthetically-generated 'Referrer' header. Each of these headers contains the website URL the perpetrators are trying to boost," researcher Ofer Gayer explained.
"All such requests are automatically recorded in access logs, creating a HTML referrer link. These links are then crawled by search engines, while accessing these publicly-available HTML resources."
This artificially improves search engine rankings of the company's customers, which in time "can cause long-term SEO damage to websites, ranging from demotion in search engine result pages (SERP) to complete SERP blacklisting and removal."
To perform all of this, the company uses a botnet generated by malware hidden in a utility called “Soundfrost,” and includes machines on over 290,000 different IP addresses around the world. Nearly 60 percent of those machines are located in Brazil.
The Semalt bot is an effective beast, as it bypasses common bot detection and filtering methods, and the botnet allows it to circumvent IP blacklisting and rate-limiting protection.
With all this in mind, Incapsula has begun blocking Semalt bots by default for all of its accounts, and hopes other will follow their lead.